In this section

• Home
• Press office
• News archive
• Articles
• 2004
• 01

• Journalists' guide
• News archive

Talk to our experts

• Press contacts

Resources

• Sophos Podcasts
• Image gallery
• Customer case studies
• Free anti-virus
• White papers
• Awards and reviews
• Industry affiliations

Sophos blogs

• SophosLabs blog
• Graham Cluley's blog
• Paul Ducklin's blog
• Chet's blog

Info feeds

• Security news
• Company news
• More...

What are info feeds?

27 January 2004

MyDoom worm spreading fast, Sophos warns users to be wary of viral email and hacker attack

Worm creates possessed zombie army to attack SCO website

The MyDoom worm can make a zombie of your computer

Sophos technical support has warned users of the W32/MyDoom-A which is spreading widely across the internet.

MyDoom-A quick links:

• A detailed analysis of W32/MyDoom-A
• W32/MyDoom-A disinfection utilities
• Sign up for email virus alerts
• Add live virus information to your website

The MyDoom worm (also known as Novarg or Mimail-R) spreads via email, using a variety of technical-sounding subject lines and attachment names. If the attached file is launched, and the worm activated, the infected computer's hard disk is harvested by the worm for more email addresses to send itself to. The worm opens a backdoor onto infected computers which allows hackers to gain access.

The worm also spreads via the KaZaA file sharing network, and launches a denial of service (DoS) attack from infected computers (known as "zombies") against SCO's website between 1 and 12 February.

"MyDoom is unlike many other mass-mailing worms we have seen in the past, because it does not try to seduce users into opening the attachment by offering sexy pictures of celebrities or private messages," said Graham Cluley, senior technology consultant for Sophos. "MyDoom can pose as a technical-sounding message, claiming that the email body has been put in an attached file. Of course, if you launch that file you are potentially putting your data and computer straight into the hands of hackers."

"When the MyDoom worm forwards itself via email, it can create its attachment in either Windows executable or Zip file format. It is possible the worm's author did this in an attempt to bypass company filters which try and block EXE files from reaching their users from the outside world," continued Cluley.

Sophos has published a detailed analysis and protection against W32/MyDoom-A. A standalone disinfection utility is also available. Enterprise Manager customers are automatically protected at the time of their next scheduled update.

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot

See also:

• MyDoom-B author beware! Microsoft is after you
• New variant: W32/MyDoom-B discovered. New version of worm attacks Microsoft and SCO websites
• Sign up now for free notification of new viruses found in the wild
• Add live virus and hoax information to your website or intranet
• SCO offers $250,000 for the head of MyDoom's author
• MyDoom worm: the latest weapon in the Linux wars?